auditor general of bc - the status of government’s general computing controls: 2014
TRANSCRIPT
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 125
THE STATUS OF GOVERNMENTrsquoS
GENERAL COMPUTING CONTROLS 2014
wwwbcauditorcom
December 2015
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 225
623 Fort StreeVictoria British Columbia
Canada V8W 1G1P 2504196100F 2503871230
wwwbcauditorcom
CONTENTS
Auditor Generalrsquos Comments 3
Report Highlights 5
Response from The Ministry of TechnologyInnovation and Citizensrsquo Services 6
Background 7
What we did 8
What we observed 10
What organizations should do 17
Appendix A Maturity level
by IT process and type of organization 18
Appendix B Summary of IT audit
recommendations over the last 10 years 23
Te Honourable Linda Reid
Speaker o he Legislaive AssemblyProvince o Briish Columbia
Parliamen Buildings
Vicoria Briish Columbia
V983096V 983089X983092
Dear Madame Speaker
I have he honour o ransmi o he Legislaive Assembly oBriish Columbia my repor Te Status of Governmentrsquos General
Computing Controls 983090983088983089983092
We conduced his audi under he auhoriy o secions 983089983088 and
983089983089 (983096) (b) o he Auditor General Act and in accordance wih he
sandards or assurance engagemens se ou by he Charered
Proessional Accounans o Canada (CPA) in he CPA Canada
Handbook ndash Assurance and in accordance wih Value-or-
Money Audiing in he Public Secor
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
C983137983154983151983148 B983141983148983148983154983145983150983143983141983154 FCPA FCA Auditor General
AUDITOR GENERALrsquoSCOMMENTSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) sysems are vulnerableo hreas like hacking hef and sysems disrupion due o physical
damage or saboage For governmen I sysems herersquos even more
a sake because hese sysems conain subsanial ndash and sensiive ndash
inormaion We rely on I sysems or essenial services like healhcare
educaion and ransporaion and or millions o financial ransacions
across all governmen organizaions
Srong general compuing conrols are governmenrsquos firs line o deence
agains poenial hreas Tey conrol who can access he sysems
(confidenialiy) how o make changes o he sysems (inegriy) and
backup and recovery o sysems (availabiliy)
Wersquove seen issues wih general compuing conrols in previous audis
o I sysems including PARIS CORNE JUSIN ICM and
wireless neworks in governmen Over he las 983089983088 years 983095983096 o he
recommendaions in our I audi repors have been abou improving
general compuing conrols hus illusraing heir imporance
For his repor we looked a how good governmenrsquos general compuingconrols are and how good governmen organizaions hink hey are
o do his we asked 983089983092983096 governmen organizaions (minisries Crown
corporaions healh auhoriies universiies colleges schools and more)
o sel-assess how well-developed and capable heir general compuing
conrols are Tis is known as he mauriy level We hen validaed 983089983091 sel-
assessmens rom across all ypes o organizaions
Te majoriy o organizaions sel-assessed a mauriy level 983091 and
above However in our validaion we ound ha 983094983097 o organizaions
over-raed heir sel-assessmens Tey didnrsquo have sufficien evidenceo suppor heir sel-assessmens And mos o he organizaions lacked
documenaion o policies and procedures ndash boh hallmarks o maure
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
general compuing conrols We encourage all organizaions o ake a
criical look a heir I processes and be realisic abou heir level
o mauriy
We believe ha each organizaion should aim or a leas mauriy level 983091
as heir baseline Ta said some organizaions should have a higher arge
mauriy level especially hose ha have complex compuing needs or
handle sensiive inormaion
Te findings and recommendaions rom his audi should be o ineres
o all I proessionals in governmen organizaions Senior managemen
needs o ully undersand he imporance o general compuing
conrols and how hey can miigae hreas o heir I sysems We are
recommending ha organizaions review heir business and I goals and
deermine which mauriy level is bes suied or heir needs and hen
ensure ha mauriy level is achieved and mainained
We are graeul o all 983089983092983096 organizaions or compleing heir sel-
assessmens We had a 983089983088983088 response rae which helps o make our job
easier And hank you o he 983089983091 organizaions whose resuls we validaed
ndash we appreciae your cooperaion
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
AUDITOR GENERALrsquoS COMMENTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
78
of our previousIT audit
recommendations
were about
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
education
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
educationStrong general
computing controls
can reduce the impact
of risks
Strong general
computing controls
can reduce the impact
of risks
Over 600
IT services are outsourced
to external
parties
Over 600
IT services are outsourced
to external
parties
general
computingcontrols
general
computingcontrols
69 of audited
organizations lackedsufficient evidence
to support theirself-assessed levels
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
USE OF IT COMES WITH RISKS
FRAUD
ERRORS
SYSTEMDISRUPTION
BC governmentorganizationsSELF-ASSESSED A
HIGHER AVERAGE
MATURITY LEVEL
THAN 2013
REPORT HIGHLIGHTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 225
623 Fort StreeVictoria British Columbia
Canada V8W 1G1P 2504196100F 2503871230
wwwbcauditorcom
CONTENTS
Auditor Generalrsquos Comments 3
Report Highlights 5
Response from The Ministry of TechnologyInnovation and Citizensrsquo Services 6
Background 7
What we did 8
What we observed 10
What organizations should do 17
Appendix A Maturity level
by IT process and type of organization 18
Appendix B Summary of IT audit
recommendations over the last 10 years 23
Te Honourable Linda Reid
Speaker o he Legislaive AssemblyProvince o Briish Columbia
Parliamen Buildings
Vicoria Briish Columbia
V983096V 983089X983092
Dear Madame Speaker
I have he honour o ransmi o he Legislaive Assembly oBriish Columbia my repor Te Status of Governmentrsquos General
Computing Controls 983090983088983089983092
We conduced his audi under he auhoriy o secions 983089983088 and
983089983089 (983096) (b) o he Auditor General Act and in accordance wih he
sandards or assurance engagemens se ou by he Charered
Proessional Accounans o Canada (CPA) in he CPA Canada
Handbook ndash Assurance and in accordance wih Value-or-
Money Audiing in he Public Secor
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
C983137983154983151983148 B983141983148983148983154983145983150983143983141983154 FCPA FCA Auditor General
AUDITOR GENERALrsquoSCOMMENTSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) sysems are vulnerableo hreas like hacking hef and sysems disrupion due o physical
damage or saboage For governmen I sysems herersquos even more
a sake because hese sysems conain subsanial ndash and sensiive ndash
inormaion We rely on I sysems or essenial services like healhcare
educaion and ransporaion and or millions o financial ransacions
across all governmen organizaions
Srong general compuing conrols are governmenrsquos firs line o deence
agains poenial hreas Tey conrol who can access he sysems
(confidenialiy) how o make changes o he sysems (inegriy) and
backup and recovery o sysems (availabiliy)
Wersquove seen issues wih general compuing conrols in previous audis
o I sysems including PARIS CORNE JUSIN ICM and
wireless neworks in governmen Over he las 983089983088 years 983095983096 o he
recommendaions in our I audi repors have been abou improving
general compuing conrols hus illusraing heir imporance
For his repor we looked a how good governmenrsquos general compuingconrols are and how good governmen organizaions hink hey are
o do his we asked 983089983092983096 governmen organizaions (minisries Crown
corporaions healh auhoriies universiies colleges schools and more)
o sel-assess how well-developed and capable heir general compuing
conrols are Tis is known as he mauriy level We hen validaed 983089983091 sel-
assessmens rom across all ypes o organizaions
Te majoriy o organizaions sel-assessed a mauriy level 983091 and
above However in our validaion we ound ha 983094983097 o organizaions
over-raed heir sel-assessmens Tey didnrsquo have sufficien evidenceo suppor heir sel-assessmens And mos o he organizaions lacked
documenaion o policies and procedures ndash boh hallmarks o maure
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
general compuing conrols We encourage all organizaions o ake a
criical look a heir I processes and be realisic abou heir level
o mauriy
We believe ha each organizaion should aim or a leas mauriy level 983091
as heir baseline Ta said some organizaions should have a higher arge
mauriy level especially hose ha have complex compuing needs or
handle sensiive inormaion
Te findings and recommendaions rom his audi should be o ineres
o all I proessionals in governmen organizaions Senior managemen
needs o ully undersand he imporance o general compuing
conrols and how hey can miigae hreas o heir I sysems We are
recommending ha organizaions review heir business and I goals and
deermine which mauriy level is bes suied or heir needs and hen
ensure ha mauriy level is achieved and mainained
We are graeul o all 983089983092983096 organizaions or compleing heir sel-
assessmens We had a 983089983088983088 response rae which helps o make our job
easier And hank you o he 983089983091 organizaions whose resuls we validaed
ndash we appreciae your cooperaion
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
AUDITOR GENERALrsquoS COMMENTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
78
of our previousIT audit
recommendations
were about
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
education
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
educationStrong general
computing controls
can reduce the impact
of risks
Strong general
computing controls
can reduce the impact
of risks
Over 600
IT services are outsourced
to external
parties
Over 600
IT services are outsourced
to external
parties
general
computingcontrols
general
computingcontrols
69 of audited
organizations lackedsufficient evidence
to support theirself-assessed levels
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
USE OF IT COMES WITH RISKS
FRAUD
ERRORS
SYSTEMDISRUPTION
BC governmentorganizationsSELF-ASSESSED A
HIGHER AVERAGE
MATURITY LEVEL
THAN 2013
REPORT HIGHLIGHTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
C983137983154983151983148 B983141983148983148983154983145983150983143983141983154 FCPA FCA Auditor General
AUDITOR GENERALrsquoSCOMMENTSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) sysems are vulnerableo hreas like hacking hef and sysems disrupion due o physical
damage or saboage For governmen I sysems herersquos even more
a sake because hese sysems conain subsanial ndash and sensiive ndash
inormaion We rely on I sysems or essenial services like healhcare
educaion and ransporaion and or millions o financial ransacions
across all governmen organizaions
Srong general compuing conrols are governmenrsquos firs line o deence
agains poenial hreas Tey conrol who can access he sysems
(confidenialiy) how o make changes o he sysems (inegriy) and
backup and recovery o sysems (availabiliy)
Wersquove seen issues wih general compuing conrols in previous audis
o I sysems including PARIS CORNE JUSIN ICM and
wireless neworks in governmen Over he las 983089983088 years 983095983096 o he
recommendaions in our I audi repors have been abou improving
general compuing conrols hus illusraing heir imporance
For his repor we looked a how good governmenrsquos general compuingconrols are and how good governmen organizaions hink hey are
o do his we asked 983089983092983096 governmen organizaions (minisries Crown
corporaions healh auhoriies universiies colleges schools and more)
o sel-assess how well-developed and capable heir general compuing
conrols are Tis is known as he mauriy level We hen validaed 983089983091 sel-
assessmens rom across all ypes o organizaions
Te majoriy o organizaions sel-assessed a mauriy level 983091 and
above However in our validaion we ound ha 983094983097 o organizaions
over-raed heir sel-assessmens Tey didnrsquo have sufficien evidenceo suppor heir sel-assessmens And mos o he organizaions lacked
documenaion o policies and procedures ndash boh hallmarks o maure
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
general compuing conrols We encourage all organizaions o ake a
criical look a heir I processes and be realisic abou heir level
o mauriy
We believe ha each organizaion should aim or a leas mauriy level 983091
as heir baseline Ta said some organizaions should have a higher arge
mauriy level especially hose ha have complex compuing needs or
handle sensiive inormaion
Te findings and recommendaions rom his audi should be o ineres
o all I proessionals in governmen organizaions Senior managemen
needs o ully undersand he imporance o general compuing
conrols and how hey can miigae hreas o heir I sysems We are
recommending ha organizaions review heir business and I goals and
deermine which mauriy level is bes suied or heir needs and hen
ensure ha mauriy level is achieved and mainained
We are graeul o all 983089983092983096 organizaions or compleing heir sel-
assessmens We had a 983089983088983088 response rae which helps o make our job
easier And hank you o he 983089983091 organizaions whose resuls we validaed
ndash we appreciae your cooperaion
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
AUDITOR GENERALrsquoS COMMENTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
78
of our previousIT audit
recommendations
were about
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
education
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
educationStrong general
computing controls
can reduce the impact
of risks
Strong general
computing controls
can reduce the impact
of risks
Over 600
IT services are outsourced
to external
parties
Over 600
IT services are outsourced
to external
parties
general
computingcontrols
general
computingcontrols
69 of audited
organizations lackedsufficient evidence
to support theirself-assessed levels
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
USE OF IT COMES WITH RISKS
FRAUD
ERRORS
SYSTEMDISRUPTION
BC governmentorganizationsSELF-ASSESSED A
HIGHER AVERAGE
MATURITY LEVEL
THAN 2013
REPORT HIGHLIGHTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
general compuing conrols We encourage all organizaions o ake a
criical look a heir I processes and be realisic abou heir level
o mauriy
We believe ha each organizaion should aim or a leas mauriy level 983091
as heir baseline Ta said some organizaions should have a higher arge
mauriy level especially hose ha have complex compuing needs or
handle sensiive inormaion
Te findings and recommendaions rom his audi should be o ineres
o all I proessionals in governmen organizaions Senior managemen
needs o ully undersand he imporance o general compuing
conrols and how hey can miigae hreas o heir I sysems We are
recommending ha organizaions review heir business and I goals and
deermine which mauriy level is bes suied or heir needs and hen
ensure ha mauriy level is achieved and mainained
We are graeul o all 983089983092983096 organizaions or compleing heir sel-
assessmens We had a 983089983088983088 response rae which helps o make our job
easier And hank you o he 983089983091 organizaions whose resuls we validaed
ndash we appreciae your cooperaion
Carol Bellringer FCPA FCA
Audior General
Vicoria BC
December 983090983088983089983093
AUDITOR GENERALrsquoS COMMENTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
78
of our previousIT audit
recommendations
were about
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
education
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
educationStrong general
computing controls
can reduce the impact
of risks
Strong general
computing controls
can reduce the impact
of risks
Over 600
IT services are outsourced
to external
parties
Over 600
IT services are outsourced
to external
parties
general
computingcontrols
general
computingcontrols
69 of audited
organizations lackedsufficient evidence
to support theirself-assessed levels
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
USE OF IT COMES WITH RISKS
FRAUD
ERRORS
SYSTEMDISRUPTION
BC governmentorganizationsSELF-ASSESSED A
HIGHER AVERAGE
MATURITY LEVEL
THAN 2013
REPORT HIGHLIGHTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
78
of our previousIT audit
recommendations
were about
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
education
IT is critical to governmentrsquos
service delivery ndash
from healthcare to
educationStrong general
computing controls
can reduce the impact
of risks
Strong general
computing controls
can reduce the impact
of risks
Over 600
IT services are outsourced
to external
parties
Over 600
IT services are outsourced
to external
parties
general
computingcontrols
general
computingcontrols
69 of audited
organizations lackedsufficient evidence
to support theirself-assessed levels
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
Majority oforganizationsself -assessed at
MATURITY
LEVEL 3
AND
ABOVE
USE OF IT COMES WITH RISKS
FRAUD
ERRORS
SYSTEMDISRUPTION
BC governmentorganizationsSELF-ASSESSED A
HIGHER AVERAGE
MATURITY LEVEL
THAN 2013
REPORT HIGHLIGHTS
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
RESPONSE FROM THEMINISTRY OF TECHNOLOGY
INNOVATION ANDCITIZENSrsquo SERVICES983144983141 O983142983142983145983139983141 983151983142 he Chie Inormaion Officer (OCIO) would like o hank he Audior General or
reviewing he saus o Governmenrsquos General Compuing conrols Governmen akes very seriously he
imporance o general compuing conrols as he firs line o deense agains poenial hreas and is commited o
ensuring ongoing confidenialiy inegriy and availabiliy o sysems and daa under is mandae
I accep he Audior Generalrsquos recommendaion
peraining o he Governmen Chie Inormaion
Officerrsquos role in promoing srong conrols and
assising organizaions wih implemening hem and
will coninue o carry ou his role wihin my mandae
I have aken promp and appropriae acion and have
planned uure improvemens o he exen ha my
office is empowered o do so under he governmen
Core Policies
o dae we have compleed our Annual Inormaion
Securiy Review and creaed a Vulnerabiliy and
Risk Managemen eam o respond o relevan
incidens inegraed ormal securiy requiremens
ino vendor service procuremens implemened
advanced cybersecuriy and vulnerabiliy scanning
ools published new sandards or Criical Sysems
and Enerprise Business Archiecure o be applied by
all minisries ormalized he erms o Reerence and
processes or OCIOrsquos Change Advisory Board and
compleed governmenrsquos annual Business Coninuiy
Plan exercise and developed plans o address he
idenified gaps
In he coming monhs we plan o underake a
comprehensive daa classificaion sandards review
coninue our work on developing a Cloud securiy
sandard coninue o implemen criical securiy
inrasrucure ino governmenrsquos daa cenres implemen
a governmen-wide proacive issues managemen process
and coninue our effors o ensure compliance wih
relevan governmen sandards and policies
We appreciae he effors o he Office o he Audior General (OAG) o Briish Columbia in
heir assessmen o governmenrsquos compuing general
conrols wih he ulimae objecive o reducing overall
risk o governmen Te inormaion provided by ldquoTe
Saus o Governmenrsquos General Compuing Conrols
983090983088983089983092rdquo has provided valuable inormaion regarding he
mauriy o he managemen o he conrols and will
assis in prioriizing improvemens
My office will coninue o work wih Minisry Chie
Inormaion Officers o improve managemen o
conrols o achieve heir argeed mauriy level We
look orward o uure yearsrsquo assessmen by he Audior
General saff
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
BACKGROUNDTHE IMPORTANCE OF GENERAL
COMPUTING CONTROLSI983150983142983151983154983149983137983156983145983151983150 983141983139983144983150983151983148983151983143983161 (I) is criical o governmenrsquos day-o-day operaions From
delivering services like healhcare and educaion o processing billions o dollars in ransacions BCrsquos
governmen I sysems handle subsanial and sensiive inormaion Tis impacs he daily lives o everyone in
our province
More and more governmen is relying on hird paries
o develop heir I sysems and provide I services
Tere are currenly over 983094983088983088 ousourced I sysems
and services across governmen
All hese come wih risks such as
raud inenional access o sysems and daa
or personal gain
human errors uninenional changes o
sysems and daa
down ime inabiliy o resume criical services
quickly aer an unexpeced disrupion (power
ouages disasers or malicious aciviies)
o reduce he impac o hese risks governmen needs
srong conrols
General compuing conrols ensure ha I sysems
and services can help organizaions ulfill heir
needs (he business objecives) hrough he proper
developmen and implemenaion o applicaions
as well as he inegriy o programs daa files andcompuer operaions
Tey play an imporan role in deecing and
prevening raud and errors proecing organizaionsrsquo
I asses and ensuring ha criical business
operaions could coninue As such 983095983096 o he
recommendaions in our I audi repors over he
las 983089983088 years ocused on improving general compuing
conrols See Appendix B or a summary o hese 983089983088983092
I audi recommendaions
RESPONSIBI LITY FOR
GENERAL COMPUTING
CONTROLS
Te BC Office o he Governmen Chie Inormaion
Officer is mandaed wih governance auhoriy
or sandards seting oversigh and approvals or
he provincersquos inormaion and communicaionsechnology
BC governmen organizaions are responsible
or ollowing he spiri and inen o his policy in
designing and implemening he general compuing
conrols bes suied or heir I environmen ndash
regardless o wheher I sysems or services are in-
house or ousourced
BC governmen organizaions include minisriesCrown corporaions universiies colleges school
disrics healh auhoriies and oher organizaions
conrolled by or accounable o he provincial
governmen Collecively hey are called he
Government Reporting Entity (GRE)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2013
I983150 983090983088983089983091 983159983141 asked 983089983091983096 organizaions in he GRE o complee a sel-assessmen o heir sophisicaionregarding use o general compuing conrols We repored he resuls in erms o a mauriy level ha each BC
governmen organizaion had atained
Te sel-assessmen was designed using he mauriy
model defined in he COBI 983092983089 ramework
(see Exhibi 983089) Te mauriy model is a way o
assess how well developed and capable he
esablished I conrols are
COBI 983092983089 is a globally acceped rameworkdeveloped by he I Governance Insiue Te
insiue was ormed by ISACA ndash an independen
non-profi global associaion ha engages in he
developmen adopion and use o globally acceped
indusry-leading knowledge and pracices or
inormaion sysems
Te sel-assessmen ocused on nine critical I processes
defined in COBI 983092983089 as essenial or mainaining
confidentiality proecing he inormaion hey
manage
integrity ensuring ha ransacions are
processed correcly
availability ensuring cr iical governmen
services are always up and running
WHAT WE DID
983088 - Non-existent Complete lack o any recognizableprocesses Te enterprise has not even recognized that there is
an issue to be addressed
983089 - Initialad hoc Tere is evidence that the enterprise
has recognized that the issues exist and need to be addressed
Tere are however no standardized processes instead there
are ad hoc approaches that tend to be applied on an individual
or case-by-case basis Te overall approach to management is
disorganized
983090 - Repeatable but intuitive Processes have developed to
the stage where similar procedures are ollowed by differentpeople undertaking the same task Tere is no ormal training
or communication o standard procedures and responsibility
is lef to the individual Tere is a high degree o reliance on the
knowledge o individuals and thereore errors are likely
983091 - Defined Process Procedures have been standardizedand documented and communicated through training It is
mandated that these processes should be ollowed however
it is unlikely that deviations will be detected Te procedures
themselves are not sophisticated but are the ormalization o
existing practices
983092 - Managed and measurable Management monitors
and measures compliance with procedures and takes action
where processes appear not to be working effectively Processes
are under constant improvement and provide good practice
Automation and tools are used in a limited or ragmented way
983093 - Optimized Processes have been refined to a level o good
practice based on the results o continuous improvement and
maturity modeling with other enterprises I is used in an
integrated way to automate the workflow providing tools to
improve quality and effectiveness making the enterprise quick
to adapt
Exhibit 1 COBIT 41 Maturity model rating definitions
Source COBI 983092983089 conrol ramework or I governance ( wwwisacaorg)
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
See able 983089 or he descripion o each o he
nine areas
In 983090983088983089983091 we received 983089983088983088 o he organizaionsrsquo sel-assessmens We did no validae he resuls o heir
sel-assessmens bu we sen repors o he heads o
each organizaion Te repors showed heir resuls
compared o similar organizaions and provided
recommendaions on how hey can achieve or improve
heir arge mauriy levels We also sen a summary
repor o he BC Governmen Chie Inormaion
Officer
In January 983090983088983089983092 we published a high-level reporsummarizing our findings and inen or uure years as
par o our I compendium repor
2014
In Augus 983090983088983089983092 we asked he same 983089983091983095983089 organizaions
plus nine Independen Offices o he Legislaive
Assembly and wo new organizaions (in oal 983089983092983096
organizaions) o complee he same sel-assessmen
Tis year hough we seleced 983089983091 organizaions
and validaed heir sel-assessmens Tis sample
included a minisry a healh auhoriy wo Crown
corporaions hree universiies wo colleges and our
school disrics Te validaion process included
reviewing he compleed sel-assessmen orm
inerviewing key I personnel rom each
organizaion
examining supporing evidence or he sel-
assessed levels
983089 One o he 983089983091983096 organizaions in 983090983088983089983091 was dissolved in 983090983088983089983092
WHAT WE DID
Again we sen deailed repors o he heads o all
983089983092983096 organizaions comparing heir resuls o similar
organizaions as well as heir 983090983088983089983091 resuls Tese
repors provided recommendaions on how hey canachieve or improve on heir arge mauriy levels We
also sen a summary repor o he BC Governmen
Chie Inormaion Officer
We conduced his projec under secions 983089983088 and 983089983089
(983096) (b) o he Auditor General Act rom Augus 983090983088983089983092 o
June 983090983088983089983093
DETERMINING THE
BENCHMARK
Te COBI 983092983089 model saes ha mauriy levels may
be differen or each organizaion depending on he
organizaionsrsquo business objecives complexiy o heir
compuing sysems and I environmen and he
value o he inormaion hey manage For example
a governmen organizaion ha has he personal
inormaion o every person in Briish Columbia or
ha provides criical services should have highermauriy levels
We believe ha each organizaion should aim or a
leas maturity level 983091 Defined Process as heir baseline
A his level organizaions have sandardized and
documened heir procedures mandaed ha hey be
ollowed and rained saff accordingly
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT WE OBSERVED
0
1
2
3
4
5
27 26
31 3130 29 28
3028
32 3134 33
23 22
30 3029
M a t u r i t y
l e v e
l s
IT processes
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l e
n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n a
g e t h i r d -
p a r t y
s e r v i c e
s
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A
s s e s s a n
d m a n
a g e I T
r i s k s
2014 Range 2013 Range2013 Average2014 Average
ORGANIZATIONS SELF-ASSESSED A HIGHER
AVERAGE MATURITY LEVEL THAN 2013
O983158983141983154983137983148983148 983156983144983141 983137983158983141983154983137983143983141 sel-assessed mauriy level across all he organizaions in he BC GRE and
he nine I processes was beween 983090983091 and 983091983092 Tis is slighly higher han he 983090983088983089983091 resuls which were beween
mauriy levels 983090983090 and 983091983091 (See Exhibi 983090)
Healh auhoriies minisries and Crown corporaions
had consisenly higher average mauriy levels
han universiies colleges and school disrics
See Appendix A or mauriy levels by he nine I
processes and ype o organizaion
Exhibit 2 Range and average self-assessed maturity level for each IT process
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
THE MAJORITY OF ORGANIZATIONS SELF-
ASSESSED AT MATURITY LEVEL 3 AND ABOVE
Beween 983093983089 and 983096983092 o he organizaions sel-assessed a mauriy level 983091 and above in eigh o he nine Iprocesses (See Exhibi 983091)
WHAT WE OBSERVED
Exhibit 3 Percentage of organizations that self-assessed at maturity level 3 and above for each IT process
P e r c e n t a g e
IT processes
0
20
40
60
80
100
M o n i t o
r a n d
e v a l u a
t e
I T p e r f o
r m a n
c e
M a n
a g e o p
e r a t i o
n s
M a n
a g e t h e
p h y s i c a l
e n v i r o
n m e n t
E n s u r e
s y s t e
m s s e
c u r i t y
E n s u r e
c o n t i n u
o u s s e
r v i c e
M a n
a g e t h i r d -
p a r t y
s e r v i c e
I n s t a l l a n
d a c c r
e d i t
s o l u t i o
n s a n d
c h a n g
e s
M a n
a g e c h a
n g e s
A s s e s s
a n d
m a n
a g e I T r i s k s
2014 - Maturity level 3 and above2014 - Below maturity level 3
2013 - Maturity level 3 and above2013 - Below maturity level 3
49 52
51 48
30 39
70 61
33 35
67 65
25 31
75 69
41 43
59 57
32 39
68 61
18 20
82 80
16 20
84 80
60 65
40 35
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
MOST ORGANIZATIONS LACKED SUFFICIENT
EVIDENCE TO SUPPORT THEIR SELF-ASSESSED
MATURITY LEVEL In our validaion we ound ha nine o he 983089983091
organizaions (983094983097) did no have sufficien evidence
o suppor heir sel-assessed mauriy level in one or
as many as all nine I processes
For organizaions ha had insufficien evidence o
suppor heir sel-assessmens we discussed our
findings wih hose organizaions and adjused heir
mauriy levels accordingly
Validation findings for the nineIT processes
Te able below summarizes our validaion resuls or
each o he nine I processes we looked a
WHAT WE OBSERVED
Table 1 Validation findings for each IT process
1 Assess and manage IT risks
All organizaions should define a risk managemen ramework or ideniying assessing and reaing risks ha affec key business areas Te ramework helps gaher inormaion on I operaions risks so ha senior managemen can makeinormed decisions abou he risks hey are willing o accep
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 and 4
Risk ma nagemen processes and aciv iies were
no ormally documened
in he process o being documened
in he early sage o implemenaion
Risk ma nagemen processes were no consisenly applied o all
aciviies in I operaions
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
2 Manage changes
Organizaions should manage changes o sysems o preven inaccurae daa processing disrupion or delay o ser vicesor cause loss o inormaion Prior o implemenaion organizaions should define policies sandards procedures and
roles and responsibiliies or monioring assessing and auhorizing changes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Tree organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels 3 4 or 5
Change managemen processes were
no esablished
no ormally documened
in he process o being developed
in he early sage o implemenaion
Lack o managemenrsquos periodic monioring o compliance wih
esablished policies sandards and procedures
3 Install and accredit solutions and changes
In conjuncion wih he policies and procedures or managing changes o sysems organizaions need o have properplanning esing and implemenaion o changes and carry ou a pos-implemenaion review Tis will help ensure hasysems are operaional and are in-line wih he agreed-upon expecaions and oucomes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessed
mauriy levels 3 or 4
Procedures were
ad hoc inormally documened
sill being developed
4 Manage third-party services
Organizaions should ensure ha hird-pary service providers are meeing business requiremens Tis is accomplished by clearly defining he roles responsibiliies and expecaions o all paries ogeher wih effecive monioring ocompliance wih service agreemens Tese processes help organizaions miigae he risk o hird-pary providersailing o perorm in accordance wih agreemens
Number of organizations withinsufficient evidence Deficiencies in general computing controls
wo organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 or 45
Lack o ormal documenaion in selecing and managing
hird-pary providers
Did no ollow is I purchasing policy a nd he policy was ou-daed
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
Te provision o coninuous uninerruped service requires defining roles and responsibiliies or all involved pariesdeveloping mainaining and periodic esing o I coninuiy plans using off-sie backup sorage or sysems and daa
and periodic I coninuiy raining Tese processes help minimize he impac o a major I service inerrupion onkey business uncions and processes
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Four organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 35 or 4
Roles and responsibiliies were no deined
Lack o raining a nd monioring or coninuous service
I coninuiy plans were
non-exisen
in he process o being developed
in exisence bu neiher updaed nor regularly esed
Backup aciliy wa s close o he main daa cenre and was exposed o
he same physical risks (earhquake sorm lood ire ec)
6 Ensure systems security
o mainain he inegriy o criical inormaion and proec heir I asses organizaions should define a securiymanagemen process which y pically includes
esablishing and mainai ning I secur iy policies sandards procedures plans roles and responsibiliies
monioring and esing securiy plans periodically o ideniy secur iy weaknesses or incidens
developing and carryi ng ou correcive acions in order o minimize heir business impac
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 3 o 45
I securiy policies procedures and plans were
no deined or ormally documened
in he process o being developed
no curren
I securiy procedures were no aligned wih I securiy policies
Responsibiliy or sysems secu riy was neiher clearly assigned nor
independen rom I operaions Securiy awareness and raining was limied
Risk and impac analysis esing monioring and reporing on
securiy were rarely car ried ou or was no aligned wih business
objecives
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1525
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
o proec compuing aciliies and saff rom inenional or uninenional harm organizaions should
deine he roles and responsibiliies or managing he physical environmen
esablish appropriae physical sie requiremens
monior environmenal acors
manage physical access
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Seven organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels beween 2 and 5
Lack o ormal documenaion o deined
roles and responsibiliies
environmenal and physical securiy requiremens
Physical access o compuing aciliies was neiher moniored norreviewed
Some organizaions had no implemened prevenive measures
where hey had he monioring was weak
No all sa were rained in healh saey and emergency procedures
WHAT WE OBSERVED
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1625
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
8 Manage operations
o ensure complee and accurae processing o daa and minimize delays in business operaions organizaions needo have effecive managemen o daa processing procedures and diligen mainenance o compuing hardware Tis
includes deining roles and responsibiliies or managing I operaions
esablishing operaing pol icies and procedures or daa processing
proecing sensiive repors
monioring I inrasrucure perormance
ensuring prevenive mainenance o compuing hardware
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 375 4 or 45
Lack o ormal or up-o-dae documenaion o
I sandards a nd operaing procedures
clearly deined responsibiliies
Lack o
ongoing raining
monioring agains I sandards
High degree o reliance on he knowledge o individuals managi ng
I operaions
Processes or monioring he I inrasr ucure were no suicienly
addressing he roo causes o operaional errors and ailures
9 Monitor and evaluate IT performance
Monioring is essenial or effecive managemen o I perormance and ensures ha hings are done in line wihhe se direcions and policies Tis process includes defining and reporing on relevan perormance indicaors andaddressing deviaions promply
Number of organizations withinsufficient evidence Deficiencies in general computing controls
Five organizaions lacked sufficienevidence o suppor sel-assessedmauriy levels o 2 o 4
Organizaions used ad hoc and in ormal approaches in monioring
and evaluaing I perormance
High degree o reliance on he knowledge o individuals monioring
aciviies
Procedures and indicaors or managing I perormance were sill
in developmen
Where mon ioring processes exis he indicaors were oupu-based
raher han oucome-based
WHAT WE OBSERVED
Source Office o he Audior General o Briish Columbia
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1725
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
WHAT ORGANIZATIONSSHOULD DO
W983141 983154983141983139 983151983149983149 983141983150983140 983156983144983137983156 wih regard o he general compuing conrols organizaions in he BC
Governmen Reporing Eniy periodically
983089 review heir business and I goals and
deermine he arge mauriy level
983090 analyze he conrols necessary or meeing he
arge mauriy level
983091 deermine wha needs o be done o achieve he
arge mauriy level983092 monior he progress in achieving he arge
mauriy level
in accordance wih he COBI 983092983089 mauriy model
We also recommend ha he BC Office o he
Governmen Chie Inormaion Officer coninue o
promoe srong general compuing conrols and assis
governmen organizaions in achieving and improving
heir arge mauriy level
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1825
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
A v e r a g e m a t u r i t y
l e v e
l s
1 Assess and manage IT risks
0
1
2
3
4
5
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 36 30 29 40 38 25 25 23 21 23 22
A v e r a g e m a t u r i t y
l e v e
l s
2 Manage changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 39 36 33 38 38 31 28 26 24 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 1925
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
A v e r a g e m a t u r i t y
l e v e
l s
3 Install and accredit solutions and changes
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
38 37 33 31 38 40 34 30 21 20 27 28
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
4 Manage third-party services
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
39 38 36 34 35 32 28 29 30 29 27 25
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2025
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
5 Ensure continuous service
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
32 32 30 29 34 33 24 23 26 25 28 27
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
6 Ensure systems security
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 37 32 28 33 38 28 25 22 25 28 26
A v e r a g e m a t u r i t y
l e v e
l s
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2125
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
7 Manage the physical environment
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 35 36 35 38 38 38 34 30 28 29 29
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
8 Manage operations
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
37 36 38 36 41 40 35 32 33 33 31 32
2013 Average for type of organization2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2225
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
9 Monitor and evaluate IT performance
0
1
2
3
4
5
School DistrictsCollegesUniversitiesHealth AuthoritiesCrown CorporationsMinistries
28 25 28 25 32 28 18 16 22 18 21 21
2013 Average for type of organization
2014 Average for type of organization 2014 Average for IT process area
2013 Average for IT process area
A v e r a g e m a t u r i t y
l e v e
l s
APPENDIX A MATURITY LEVEL BY IT PROCESS AND TYPE OF ORGANIZATION
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2325
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
APPENDIX B SUMMARY OF IT AUDIT RECOMMENDATIONS OVER THE LAST 10 YEARS
IT audit report titleTotal number of
recommendations
Number of
recommendationswithin the nine ITprocesses
Percentage of
recommendationswithin the nine ITprocesses
Audi o he Governmens Corporae AccouningSysem Par 1
14 12 86
Audi o he Governmens Corporae AccouningSysem Par 2
13 5 38
Elecronic Healh Record Implemenaionin Briish Columbia
3 2 67
Inormaion echnology Compendium - Web Applicaion Securiy Audi
4 4 100
Inegraed Case Managemen Sysem 7 5 71
I Coninuiy Planning in Governmen 9 9 100
Managing Access o he CorrecionsCase Managemen Sysem
9 9 100
Managing Governmens Paymen Processing 6 3 50
Securing he Jusin Sysem Accessand Securiy Audi a Te Minisry o Jusice
5 5 100
Summary Repor Resuls o Compleed Projecs -Ino Securiy Managemen An Audi on How WellGovernmen is Ideniying and Assessing is Risks
6 6 100
Summary Repor Resuls o Compleed Projecs - Wireless Neworking Securiy Phase 3
22 16 73
Te PARIS Sysem or CommuniyCare Services Access and Securiy 10 9 90
Wireless Neworking Securiy inGovernmen Phase 2
21 15 71
Wireless Neworking Securiy in VicoriaGovernmen Offices Gaps in he Deensive Line
4 4 100
Total 133 104 78
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2425
Auditor General of British Columbia | December 2015 | The Status of Governmentrsquos General Computing Controls 2014
Location
983094983090983091 For Sree
Vicoria Briish Columbia
Canada V983096W 983089G983089
Office Hours
Monday o Friday
983096983091983088 am ndash 983092983091983088 pm
Telephone 983090983093983088-983092983089983097-983094983089983088983088
oll ree hrough Enquiry BC a 983089-983096983088983088-983094983094983091-983095983096983094983095
In Vancouver dial 983094983088983092-983094983094 983088-983090983092983090983089
Fax 983090983093983088-983091983096983095-983089983090983091983088
Email bcaudiorbcaudiorcom
Website wwwbcaudiorcom
Tis repor and ohers are available a our websie which also conains
urher inormaion abou he Office
Reproducing
Inormaion presened here is he inellecual propery o he Audior
General o Briish Columbia and is copyrigh proeced in righ o he
Crown We invie readers o reproduce any maerial asking only ha
hey credi our Office wih auhorship when any inormaion resuls or
recommendaions are used
AUDIT TEAMCornell Dover
Assistant Auditor General
Corporate Services
David Lau
Director I Audit
Joji Forin
Manager I Audit
Joyce Mak
Senior Auditor Financial Audit
Helen Li- Hennessey
Senior Auditor Financial Audit
Nijjy Poikanon
Auditor I Audit
Wendy Lee
Senior Audit Associate
Financial Audit
Tank you to our staff members
not listed above for your work on
this project
8202019 Auditor General of BC - The Status of Governmentrsquos General Computing Controls 2014
httpslidepdfcomreaderfullauditor-general-of-bc-the-status-of-governments-general-computing-controls 2525